OSCP Study Progress – September 2017

This is meant to be a personal log of study progress toward OSCP certification.

9/26/2017
Lab Progress: New machine again, this one has the following ports/services open:  21/FTP, 22/SSH, 80/HTTP, 110/POP3, 143/IMAP, 3306/MYSQL on FreeBSD.  Was able to get into the mysql admin page (a second URL-brute forced one, the first more predictable one didn’t work) with default creds.  Dumped passwords for several users and cracked their hashes, but stuck on where to use them.  Can’t use on mysql login, SSH, or FTP.  Will see if I can somehow exploit something within the logged in admin page.  Or try to explore more on where the login/pwds could be used.

9/25/2017
Lab Progress: I was able to get shell on the previous machine.  It had a very specific “trick” to solve it which I won’t spoil here.  I am noticing going through the labs that my level of familiarity with windows machines is much less than I would like.  I think this is in large part due to the fact that machines on penteresterlab/vulnhub are almost exclusively linux-based.  I know vulnhub at least hosts tools that help create vulnerable Windows VMs, and there are more to be found…so I will definitely try and focus on remedying this during and after the lab period.

9/24/2017
Lab Progress: Machine 2 – Win2000 server running many services: FTP, ESMTP, IIS, RPC, netbios, RPC, tightvnc.  Navigating to port 80 website I’m presented with a login prompt which is susceptible to SQL injection.  Login bypassed but successful auth just leads to “successful login” screen.  Will need to experiment more to try to use SQLi to acquire useful info.

FTP Service + TightVNC on list to research exploits for.

9/23/2017
Lab Progress: Bad timing to get sick…took a rest day yesterday.  I tried a couple different webshells with the first box along with  using ports like 80, 443, etc. but it didn’t seem to make a difference.  Any changes within WordPress reverted after just a couple minutes, and any webshell session created would get booted off in about the same time frame so I had to be fast.  I prepared 3 separate priv-esc exploits and put them on an webserver hosted in Kali.  Had all my WGET paths ready, webshell code ready, etc.  Rushed through the webshell creation and first exploit as fast as I could and was able to root and get the flag from /root/!  This was a good learning experience for later as I should establish some good methods going forward for gaining permanence on a machine.

Continue reading “OSCP Study Progress – September 2017”

TopHatSec: Freshly – Vulnhub Writeup

Source: https://www.vulnhub.com/entry/tophatsec-freshly,118/

For this next writeup I wanted to try out a vulnerable VM that dealt at least in part with SQL-injection as a means to exploit.  I’m not entirely sure how this will turn out because I tried to be relatively cautious in avoiding any possible spoilers while searching for VMs exploitable in this way.  I’ll just cross my fingers and start…

Start off with a quick host discovery nmap scan to find the target’s IP:

nmap 192.168.111.0/24 -sP

Continue reading “TopHatSec: Freshly – Vulnhub Writeup”

pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 3 (Final Setup)

Part 1: OpenVPN Setup
Part 2: FreeRADIUS3 Setup
Part 3: Final Setup – Connecting the Two

PART 3: Final Setup – configuring OpenVPN to use FreeRadius3 for authentication

In this last section we will be enabling FreeRADIUS3 authentication within OpenVPN.

Go to the VPN menu, OpenVPN, then go to the Servers tab.

Click the edit icon by the server you setup previously.

Continue reading “pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 3 (Final Setup)”

pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 2 (FreeRADIUS 3 Setup)

Part 1: OpenVPN Setup
Part 2: FreeRADIUS3 Setup
Part 3: Final Setup – Connecting the Two

PART 2: FreeRADIUS 3 Setup (standalone installation)

Begin simply by installing the FreeRADIUS 3 (current version: 0.15) package by going to System: Package Manager: Available Packages and clicking install.

Once installed, we’ll begin the setup by going into the Services menu, then FreeRADIUS.

From here we will start by setting up a new listening interface for FreeRADIUS.  Go to the Interfaces tab and click Add.

Continue reading “pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 2 (FreeRADIUS 3 Setup)”

SickOs: 1.2 – VulnHub Writeup

Source: https://www.vulnhub.com/entry/sickos-12,144/

VM Preparation

First off similarly to SickOs 1.1 I will be adapting this VM to work within VirtualBox as it is originally built for VMware.

Like before create a new VM in Virtualbox using the following settings:

Name: SickOs 1.2
Type: Linux
Version: Ubuntu or Debian (64-bit)
Memory: At least 512MB
Hard Disk: Do not add a virtual disk

Continue reading “SickOs: 1.2 – VulnHub Writeup”

pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 1 (OpenVPN Setup)

The purpose of this 3 part series will be to implement FreeRADIUS3 authentication with OpenVPN and allow you to use 2-factor authentication methods such as Google Authenticator.

Prerequisites:  This guide will assume you have pfSense version 2.3.4+ installed, and are starting from scratch setting up OpenVPN + the FreeRadius3 package.

Part 1: OpenVPN Setup
Part 2: FreeRADIUS3 Setup
Part 3: Final Setup – Connecting the Two

PART 1: OpenVPN Setup (standalone installation)

Continue reading “pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 1 (OpenVPN Setup)”

SickOs: 1.1 – VulnHub Writeup

Source: https://www.vulnhub.com/entry/sickos-11,132/

Some initial notes:  The SickOs series has been recommended by a lot of people to be fairly similar to OSCP labs so I figure it should be some good enriching practice.  I think I’m going to try to make it a point with each new writeup to either try out some new tools, or at least use past tools in new or more focused ways for better efficiency.

Though this VM is built for VMWare, I’ve always been more of a VirtualBox guy so we’ll start off by importing the machine into VBox.

To do so create a brand new VM in Virtualbox with the following settings:

Name: SickOs 1.1
Type: Linux
Version: Ubuntu or Debian (64-bit)
Memory: At least 512MB
Hard Disk: Do not add a virtual disk

Continue reading “SickOs: 1.1 – VulnHub Writeup”